PowerShell remoting is an important topic, as many customers still think that it is unsecure. The complete opposite is actually the case, as will be explained throughout this topic. Unfortunately, many customers use other remoting capabilities instead, such as:
- Remote Desktop Protocol (RDP)/MSTSC
- PSEXEC
- SMB file share access/SMBv1
- Remote WMI access over RPC using clear text by default and random ports
- Remote event log management
- Remote service management
In addition to our complete lack of understanding, there are still many companies out there that don't even enable or configure a firewall correctly on the endpoints, and these are just the basics.
PowerShell Core supports remoting via WMI, WS-Management, and SSH. (RPC is no longer supported.) Remoting with Windows PowerShell will by default use WinRM (Windows Remote Management).
In the default settings, members of the Administrators group are allowed to do remoting, which will be executed over the following ports by default:
- 5985 (http)
- 5986 (https)
- With certificate
Many customers decide to go for https and completely mitigate Man in-the-Middle (MITM) attacks, but the transferred content is encrypted by default. After the initial authentication, an AES-256 symmetric key will be used for every session, which makes the additional work of securing the remoting capabilities with a certificate and the use of https questionable. The default authentication protocol is Kerberos, which should always be preferred. Furthermore, WinrRM will be launched in an additional service under the Network Service account. This spawns isolated processes running as user accounts to host PowerShell instances.
In its default configuration, PowerShell remoting is actually secure by default. But if you want to, you can sharpen the rules with dedicated IP-Filters and define which user groups are allowed to connect to specific servers. Specifically, if you are going up a tier level and the destination servers are jump servers or privileged access workstations (PAW), it is recommended to harden the remoting connections and monitor these. On the monitoring side, you can make use of PowerShell's logging capabilities, which allow a complete overview of the remoting connections and force hackers to leave fingerprints everywhere.
This all concludes to the following fact:
Therefore, PowerShell should actually be the only way to accomplish tasks of higher privileges or move up tier levels.